Windows 7, AppLocker and related stuff

Sorry to use Comodo forums for this, but I don’t seem to be getting much reply from the Sandboxie forums:

Thanks for any comments.

If anyone’s interested, have a read of this post:

I think it’s a pretty good summary of how to setup Software Restriction Policies to be even tighter than the default settings. Basically, LUA + default SRP is already very very secure. But if you’re concerned about more fancy and theoretical POC’s and bypasses, you should probably lock down the Windows Script Host and also the Command Prompt, as well as some others. Seriously, I am still in a bit of awe at how powerful LUA + SRP + SuRun can be. I am glad to still be using Windows XP, as SuRun is just amazing software. It doesn’t seem to really work on Windows 7 though, and I doubt it’ll be updated for it (I think the author of SuRun seems to have disappeared).

Anyway, when I eventually move to Windows 7 in about 2 or 3 years time, I’ll be using some variant of Sandboxie + SUA + SRP/AppLocker +/- UAC. I’m not really sure if it’s going to be as secure as my current XP setup, but it’ll come close enough.

I am using windows 7 and recently changed from LUA + SRP to LUA + applocker. It appears to be more configurable. Another advantage is you can set it to audit only to test it before you turn it on fully.

It does appear to block batch files from running. If I try to run a batch file in LUA it shows the “blocked by group policy” message in the command window so it is hard to see it if you run a batch file from explorer.

The only oddity I have noticed is every time I log on to Windows it says it has blocked some theme file but I don’t know what this is and it causes no problems.

I also control DLLs with it. this leads to a large audit log and I have not found how to stop it auditing when something is allowed. It does not appear to slow down my PC. It would be nice to only audit what was blocked.

MSI installers are a pain. To install these I run a command prompt as administrator and launch the MSI from this. Batch files can be run as administrator the same way but I don’t use batch files at home.

I have not tried surun but might sometime for running games.

I like security that doesn’t “limit” what I can do as much. That is why I use an admin account…I don’t want to keep switching to do what I want. 88)

Long ago I created POLL: Trusted vendors Enhancements in the wishlist board to extend over Digital signature usage in a way similar to applocker.

Not many members appeared to be interested though (even tough not many got applocker) :frowning:

Thanks for sharing your experience!

AppLocker is certainly an excellent tool, and much easier to configure than SRP. However, that’s something I can look forward to when I eventually move to Windows 7 Ultimate in a couple of years.

Be careful trying out SuRun with Windows 7 - I’ve tested it in my VM and it does NOT work well at all. In fact, it basically doesn’t work. It appears to install, and that’s about all it does haha. However, it has been working perfectly for me on Windows XP for several months.

By the way, can’t you just right click and “Run as administrator” to run your games in LUA (SUA) etc? Regardless, it’s a real pity Microsoft didn’t implement something like SuRun in Windows 7. Maybe for Windows 8 then haha.

What? Who said anything about limiting what you can do? With my setup (in my LUA), I play games online (Starcraft 1…yes, it’s still the best game out there haha), watch videos, listen to music, chat to friends/family, surf wherever the heck I want, test out malware and applications in my Virtual Machine etc etc. Basically I can do everything in my LUA, including installing/updating programs if I wanted to (since I have SuRun), but I simply switch to my admin account (takes about 5 seconds?) whenever I want to do this type of computer “house-work”. For just about everything else, I stay in my LUA, and I rarely have to use SuRun. With SuRun, I often defragment my system while in my LUA.

But in summary, I’d only have to go into my admin account a couple of times a month. The fact is that 99.99% of people out there would run LUA/SUA + SRP/AppLocker very happily and would rarely need to go into their admin account (once they have their systems running the way they like it). Linux developers and users have always known about the dangers (and to put it bluntly, stupidity) of running as root (admin) by default. More than half of all malware (some studies show up to 95%) can be stopped dead in its tracks by simply running as a limited user.

Anyway, enough ranting for now haha.

Well, I remember I tried to switch once, awhile back. Got quite frustrated, and switched back. 88)

Yes, I had the same problems too when I tried it years ago. But I think for an above average user like me, discovering SuRun made the big difference on Windows XP.

However, I don’t think there’s much excuse to not use LUA (SUA) on Windows 7. Microsoft have made it much easier to run as a limited user on Windows 7 (and even Vista I think).